Samba, firewall and me. Again...

English Network/Internet
#1

Server: Leap 15.3, samba allowed in firewall with Yast.

Client 1: Windows 10 -> shares are seen and accessible, with firewall enabled or disabled.

Client 2: FireTV stick -> same shares are only accessible with firewall disabled, else KODI says “couldn’t connect to network server”. WTF?

I vaguely remember having to open nmb ports, but this was with openSUSE 42.something. And if so client 1 wouldn’t see the shares anyway?

On windows 10 shares were set manually as shortcuts to \<server_ip>&lt;share_name>. On KODI (on the fireTV stick) you select the location (like //smb or similar) and the shares should be shown, but nothing is found if the firewall is enabled in the server.

Any ideas?

Thanks,

Bruno

#2

FWIW, both

systemctl status smb

and

systemctl status nmb

show the services as active (running).

#3

Any way I can see what ports are opened when I add the samba service in Yast firewall?

Just speculating, perhaps the firetv stick requires netbios, and it’s ports are not open by the samba service.

#4

Likely the FireTV stick uses different ports, not only SMB.

Find out the IP address the FireTV stick has (for example 111.222.333.444) and run with the firewall disabled and the FireTV stick is active:

lsof -i | grep '<[FONT=monospace]111.222.333.444>'[/FONT]

That will list active connections to the device including the ports, check them against the firewall.

If that does not work, you can run wireshark (you might have to install it), that will dump all traffic, so start it capturing before the FireTV stick is connecting and keep it running till it runs.
Select Capture → Options, select the interface the FireTV stick is connected to and filter again on the IP address of the FireTV stick.

https://paste.opensuse.org/images/92368640.png

I.e. replace 192.168.111.1 in the picture above by the IP address of the FireTV stick

Once the FireTV stick is running, stop the capture and open Statistics → Protocol Hierarchy. That will again list all type of traffic and should give you an idea on what additional ports need to be opened.

#5

You could show us your firewall config…

firewall-cmd --list-all
#6

Hi, sorry for the late reply, I’m having eye trouble these last days (thankfully temporary).


# lsof -i4 | grep mbd 
nmbd       1858    root   13u  IPv4  42291      0t0  UDP *:netbios-ns 
nmbd       1858    root   14u  IPv4  42292      0t0  UDP *:netbios-dgm 
nmbd       1858    root   15u  IPv4  42301      0t0  UDP bruno-03:netbios-ns 
nmbd       1858    root   16u  IPv4  42302      0t0  UDP 192.168.0.255:netbios-ns 
nmbd       1858    root   17u  IPv4  42303      0t0  UDP bruno-03:netbios-dgm 
nmbd       1858    root   18u  IPv4  42304      0t0  UDP 192.168.0.255:netbios-dgm 
smbd       1913    root   49u  IPv4  43625      0t0  TCP *:microsoft-ds (LISTEN)
smbd       1913    root   50u  IPv4  43626      0t0  TCP *:netbios-ssn (LISTEN)

As you can see, there’s no IP address. Weird.

I’ve made a mistake in my first report. The fireTV stick I referred to was not accessing a SMB share, but a NFS one.

I have another stick that is actually accessing the SMB share. Both sticks, curiously, loose the connection if the firewall is active when they are turned on or when the server is rebooted. To access the share, in either stick, I have to disable the firewall an access the share. After that I can enable the firewall back and the share continues accessible.

#7 

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: kdeconnect kdeconnect-kde nfs nfs3 rpc-bind samba syncthing syncthing-gui synergy
  ports: 
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
#
#8

I just noticed that in Yast firewall I can set it to restart or reload after saving the changes. Perhaps reload would keep some kind of authorization for the sticks? Probably not, but maybe worth testing later.

#9

No, it doesn’t work that way.

#10

If they rely on Avahi for discovery, then you need to open the port for ‘mdns’ (UDP port 5353).

#11

Great, Deano! That fixed the samba share access on the second firetv stick.

Still no success with the first stick, that uses nfs. Is there another port for nfs?

thanks a lot!

#12

I don’t use Kodi…what is not working for you with respect to viewing NFS shares?

Just in case the following is helpful to you…
https://kodi.wiki/view/NFS#NFS_sharing_from_Linux

A Kodi forum thread I found while searching…
https://forum.kodi.tv/showthread.php?tid=324698

#13

BTW, are you using NFSv3 or NFSv4?

If the former, then the following is required…


# Firewall rules for NFSv3
firewall-cmd --permanent --add-service nfs3
firewall-cmd --permanent --add-service mountd
firewall-cmd --permanent --add-service rpc-bind
firewall-cmd --reload
#14

Hi Deano,

Sorry (again) for the late reply, I’m still having eye trouble, so my monitor-staring time is severely restricted, but my eyes are slowly getting better, it’s a four month treatment.

Yast nfs-server has nfs v4 enabled, and the standard message that firewalld services for nfs-server are not available, and have to be configured manually.

nfs3 was enabled in firewall, but not mountd. After enabling it, it is working. YAY!

You got the nail in the head again, thank you very much!

Best regards,

Bruno

#15

P.S.: just tested with nfs3 service disabled and it also works.

#16

Glad to have been of assistance.